I have 2 Splunk Test Servers. I had one as an indexer and one as the search Head. But, we are needing to restore a single index=restoredb from our production instance to this test env. We have 2 indexers in our Production servers, so I have made both Test Servers indexers with one of those 2 being a search head still. I'm a little confused how to setup distributed searching? When I try and add the search head/indexer it says 'Duplicate Servername'. I'm not sure if this means that the search will automatically look on the search head and then the other indexer?
Our Production Indexers are not clustered. So the data from both needs to be restored to different place to look at all the data.
Quick answer: Yes, in a distributed environment you can have one of your machines be a search head and an indexer while the other machine is just an indexer.
You do not need to add the search head as a distributed indexer of itself as it will automatically look at the indexes within itself by default. Just ensure that the index you are copying is created on both test servers and then drop the data into that index on each server. The search head will then search its own indexes and also the indexes of the distributed indexer. (Remember that you may need to fiddle with user account permissions to search that index, but this may not be required if you have not changed much from the default set up.)
As a side note:The data from two indexers actually does not need to be restored to two different places (presuming you are running version 5 or higher). You can drop all of the buckets from the index on both indexers into the same index on ONE indexer, but you just need to ensure that the bucket ids (the number after the last underscore in the bucket name) don't collide. These need to be unique.
Hope this helps!
Hi @psutton_et
You can set up a search head as a search peer as stated here in documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Overviewofconfiguration#Deploy_non-dedi...
You would need to just add the other indexer server as a search peer to the dual-purpose search head/indexer server:
http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Configuredistributedsearch
Have you tested any searches to see if they return any data specifically from the dual search head/indexer?
Quick answer: Yes, in a distributed environment you can have one of your machines be a search head and an indexer while the other machine is just an indexer.
You do not need to add the search head as a distributed indexer of itself as it will automatically look at the indexes within itself by default. Just ensure that the index you are copying is created on both test servers and then drop the data into that index on each server. The search head will then search its own indexes and also the indexes of the distributed indexer. (Remember that you may need to fiddle with user account permissions to search that index, but this may not be required if you have not changed much from the default set up.)
As a side note:The data from two indexers actually does not need to be restored to two different places (presuming you are running version 5 or higher). You can drop all of the buckets from the index on both indexers into the same index on ONE indexer, but you just need to ensure that the bucket ids (the number after the last underscore in the bucket name) don't collide. These need to be unique.
Hope this helps!
Thanks for the response. We did restore the just an individual index on the 2 test servers and we were able to restore the data we needed.
We are still waiting for the restores to complete. As soon as they do, I will try.